The most common GDPR mistakes in organisations do not result from a lack of documentation. They result from documentation that exists on paper but is not reflected in how the organisation actually operates. Supervisory authorities do not inspect what is written in policies — they inspect how personal data is handled in practice.

An organisation may have a privacy policy, a record of processing activities and signed data processing agreements. If the record has not been updated for two years, the DPAs do not cover current suppliers, and nobody knows how to respond to a data subject request, that documentation provides no protection.

1. Uncontrolled access to personal data

In many organisations, nobody can give a clear answer to the question: who has access to personal data, and why? Access rights are granted when someone joins and never reviewed. Employees change roles, move departments or leave the organisation — and their access to data systems remains unchanged.

This is a direct breach of the data minimisation principle. It also means that in the event of a data breach, the organisation cannot determine who had access to the compromised data or for what reason.

More on how to structure access correctly in the article on GDPR access control.

2. Missing data processing agreements

Organisations rely on dozens of external vendors — hosting providers, CRM platforms, email marketing tools, payroll software, accounting services. Most of these vendors process personal data on the organisation’s behalf, which means a Data Processing Agreement is required under Article 28 GDPR.

Missing DPAs are one of the most common and most easily identified findings during supervisory authority inspections. Many organisations assume that accepting a vendor’s terms of service is sufficient. It is not — unless those terms contain all the mandatory elements of a DPA.

Full guidance on when a DPA is required in the article on data processing agreements.

3. Outdated or incomplete record of processing activities

A record of processing activities created at GDPR implementation and not updated since is one of the most frequent findings during inspections. New software tools have been added, new suppliers engaged, new processing activities started — none of which are reflected in the record.

A record that does not reflect the organisation’s current operations is not just useless — it actively demonstrates non-compliance. It shows that the organisation is not maintaining oversight of its own data flows.

How to maintain a current and complete record is covered in the article on records of processing activities.

4. Non-compliant cookie banners

Cookie consent is one of the areas where supervisory authorities across Europe have been most active in enforcement. The most common violations are banners that offer only an “Accept” option with no equally prominent decline option, and banners that activate tracking scripts before consent has been given.

Consent must be freely given, specific, informed and unambiguous. A banner that makes declining more difficult than accepting — through visual design, additional steps, or the absence of a “Reject all” button — does not meet this standard.

5. No process for data subject requests

Data subject requests — for access, erasure, rectification or restriction — arrive through ordinary communication channels. They are often not recognised as formal GDPR requests, not registered, not assigned to anyone, and not tracked against the one-month deadline.

The result is that when the supervisory authority asks for evidence of how a request was handled, the organisation has nothing to show. Missed deadlines, incomplete responses and an absence of documentation are all enforcement risks.

How to build a reliable handling process is covered in the article on GDPR data subject rights.

6. No data retention policy — or a policy that is not enforced

Defining retention periods in a document and actually deleting data when those periods expire are two different things. Many organisations have a retention policy on paper but no process for enforcing it. Data remains in CRM systems, email archives and backups long after any legitimate purpose has ended.

When a supervisory authority asks why data collected five years ago is still being processed, “we haven’t got around to deleting it” is not an acceptable answer.

Practical guidance on defining and enforcing retention periods is in the article on GDPR data retention.

7. No data breach response procedure

GDPR requires controllers to notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it — where the breach is likely to result in a risk to the rights and freedoms of individuals. In high-risk cases, the affected individuals must also be notified.

Many organisations have no documented procedure for assessing breaches, no defined escalation path, and no clarity on who decides whether notification is required. When a breach occurs, the absence of a procedure creates additional risk: the 72-hour window closes while the organisation is still trying to work out what to do.

8. Privacy policy that does not reflect reality

A privacy policy copied from a template or generated by an online tool — which describes tools the organisation does not use and omits those it does — does not fulfil the information obligations under Articles 13 and 14 GDPR. The information provided to individuals must be accurate, complete and specific to the organisation’s actual processing activities.

9. Risk assessment that is a one-time exercise

GDPR risk assessment conducted once at implementation and never revisited quickly becomes a document that describes a processing environment that no longer exists. New systems, new suppliers and new processing activities all require fresh assessment. For high-risk processing, a Data Protection Impact Assessment must be conducted before the processing begins — not after.

Full guidance on conducting and maintaining risk assessments is in the article on GDPR risk assessment and DPIA.

10. Treating GDPR as a one-time project

The most fundamental mistake is not confined to a single area. It is an approach: treating GDPR implementation as something to complete and close. Once the documents are signed and the policies are published, the organisation considers itself compliant.

GDPR is not a project — it is an ongoing management process. The record needs updating every time something changes. Access rights need reviewing when people change roles. DPAs need updating when suppliers change scope. Retention periods need enforcing, not just defining. Without treating compliance as a continuous operational responsibility, even the best initial implementation deteriorates rapidly

Summary

The most common GDPR mistakes are not caused by a lack of knowledge. They are caused by a lack of process, oversight and accountability. Documentation that does not reflect operational reality provides no protection — it documents non-compliance. The organisations that sustain GDPR compliance are those that treat it as part of daily operations, not as a periodic administrative exercise.

Key principles:

• compliance is demonstrated through practice, not documentation,
• access rights, DPAs and the record of processing activities must all be kept current,
• data subject requests must be handled through a structured, documented process,
• retention periods must be enforced, not just defined,
• GDPR is an ongoing operational responsibility, not a one-time project.

Frequently asked questions about GDPR mistakes